Configuring the VyOS VPN Instance on GCP

To configure the VyOS VPN Instance on GCP:

As part of the PoC script that is run, the  VM instance of a Velostrata VYOS VPN Gateway is created with its Serial console option enabled.

Also, The Velostrata VYOS VPN Gateway in GCP is assigned with FW Tag - 'fw-vpn', allowing inbound connectivity for the OpenVPN tunnel using port UDP/1194, as well as to allow SSH to the private IP address from the source on-premises environment (the outbound public IP configured during the deployment script execution).    

  1. Open the google cloud console, and locate the velosvpngateway instance.
  2. Connect to the VM serial console - under "remote access" click "connect to serial console". use the following credentials:

User: vyos, Password: vyos

  1. Change the Velos VPN Gateway default password by entering the following command:
conf
set system login user vyos authentication plaintext-password ‘password’
commit
save
exit
  1. Delete all existing route table entries
  1. To view current route table entries, enter the following command, and document the VM's default gateway IP:
sudo ip route show
  1. Delete all existing route table entries:
sudo ip route delete xxx.xxx.xxx.xxx
sudo ip route delete 127.0.0.0/8

Using the nano editor and using the sudo - edit the config file 'vyatta-postconfig-bootup.script' placed under /opt/vyatta/etc/config/scripts/

for example: 

sudo nano -w /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script

Add the following lines to it (replace defaultGatewayIp with the public subnet gateway IP for the VPC, for example 10.10.1.1):

ip route add 'defaultGatewayIp' dev eth0
ip route append default via 'defaultGatewayIp'

save by clicking Ctrl+X -> Save -> Exit

  1. Reboot.
  1. Upgrade the VyOS image using the following command, Accept all defaults and when finished - Reboot.
add system image https://downloads.vyos.io/release/1.1.8/vyos-1.1.8-i586.iso

   9. Change MTU value for eth0.

config
set interfaces ethernet eth0 mtu 1460
commit
save
exit
  1. Next, we will need to copy the shared secret key file obtained previously from the VyOS virtual appliance on-prem to the velosvpngw appliance. 

replace the VyosNewPass with the new password you have configured for the cloud appliance and the IP of the appliance

pscp -pw VyosNewPass secret vyos@xx.xx.xx.xx:/config/auth

  11. Using PuTTY, connect to the VyOS instance on AWS to proceed with its configuration.

  12. Configure source based NAT for the private subnet network. The VyOS instance will function as a NAT gateway, enabling private subnet instances to access the Internet.

config
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address masquerade 
  1. Setup the VPN tunnel using OpenVPN.
set interfaces openvpn vtun0 local-address 172.16.100.1
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 keep-alive interval 10
set interfaces openvpn vtun0 keep-alive failure-count 5
set interfaces openvpn vtun0 remote-address 172.16.100.2
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
  1.  Set a static route to direct workloads traffic from the private subnet to the corporate network. replace the 192.168.10.0/24 below with the on-premises network subnet
set protocols static route 192.168.10.0/24 next-hop 172.16.100.2
  1. Commit and save the configuration.
commit
save
exit
  1. Verify that the VPN tunnel has been established.
show openvpn site-to-site status
ping 172.16.100.2